From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 26 May 2016 09:02:54 -0400 Subject: [refpolicy] [PATCH] Add policy for systemd-resolved In-Reply-To: <1464266590-11700-1-git-send-email-bigon@debian.org> References: <1464266590-11700-1-git-send-email-bigon@debian.org> Message-ID: <82549f51-1b07-e1cc-2fe1-26f313840010@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/26/2016 8:43 AM, Laurent Bigonville wrote: > From: Laurent Bigonville > > Initial policy for systemd-resolved, tested with systemd 230 on debian Merged. > --- > policy/modules/system/systemd.fc | 2 ++ > policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 42 insertions(+) > > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc > index a0b5f0b..a987681 100644 > --- a/policy/modules/system/systemd.fc > +++ b/policy/modules/system/systemd.fc > @@ -17,6 +17,7 @@ > /usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) > /usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) > /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) > +/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) > /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) > > # Systemd unit files > @@ -33,6 +34,7 @@ > /var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > /var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > > +/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) > /var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > /var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > /var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index 0bed23c..e42f3ca 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -80,6 +80,13 @@ type systemd_nspawn_t; > type systemd_nspawn_exec_t; > init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) > > +type systemd_resolved_t; > +type systemd_resolved_exec_t; > +init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) > + > +type systemd_resolved_var_run_t; > +files_pid_file(systemd_resolved_var_run_t) > + > type systemd_run_t; > type systemd_run_exec_t; > init_daemon_domain(systemd_run_t, systemd_run_exec_t) > @@ -244,6 +251,39 @@ optional_policy(` > > ######################################### > # > +# Resolved local policy > +# > + > +allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; > +allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; > + > +allow systemd_resolved_t self:tcp_socket { accept listen }; > + > +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) > +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) > +init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) > + > +kernel_read_crypto_sysctls(systemd_resolved_t) > +kernel_read_kernel_sysctls(systemd_resolved_t) > +kernel_read_system_state(systemd_resolved_t) > + > +corenet_tcp_bind_generic_node(systemd_resolved_t) > +corenet_tcp_bind_llmnr_port(systemd_resolved_t) > +corenet_udp_bind_generic_node(systemd_resolved_t) > +corenet_udp_bind_llmnr_port(systemd_resolved_t) > + > +auth_use_nsswitch(systemd_resolved_t) > + > +seutil_read_file_contexts(systemd_resolved_t) > + > +systemd_log_parse_environment(systemd_resolved_t) > + > +optional_policy(` > + dbus_system_bus_client(systemd_resolved_t) > +') > + > +######################################### > +# > # Sessions local policy > # > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com